[
https://issues.apache.org/jira/browse/FLINK-38469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated FLINK-38469:
-----------------------------------
Labels: pull-request-available (was: )
> Bump apache-beam for PyFlink to >= 2.66 to address CVE-2024-52338 for pyarrow
> -----------------------------------------------------------------------------
>
> Key: FLINK-38469
> URL: https://issues.apache.org/jira/browse/FLINK-38469
> Project: Flink
> Issue Type: Improvement
> Components: API / Python
> Reporter: Wren
> Priority: Major
> Labels: pull-request-available
>
> There is no NVD assessment of the CVE yet but the CISA-ADP rating for [NVD -
> CVE-2024-52338|https://nvd.nist.gov/vuln/detail/CVE-2024-52338] is 9.8
> (Critical). Similar to the related and prior FLINK-35282, we should bump up
> the apache-beam version to be >= 2.66 to get a transitive dependency for
> pyarrow to be >= 17.0.0.
> The current
> [flink-python/pyproject.toml|https://github.com/apache/flink/blob/2be4355388fd75d1507cfd95740054914b567916/flink-python/pyproject.toml#L26-L35]
> has the following version range:
> {code:none}
> "apache-beam>=2.54.0,<=2.61.0",
> ...
> "apache-beam>=2.54.0,<=2.61.0",
> {code}
> The version range for pyarrow was bumped up to be beyond 17.0.0 in
> apache-beam starting 2.66 (see [commit
> 9f6ecc6409286a523ac5995dbdcb5cddb0b12cee|https://github.com/apache/beam/commit/9f6ecc6409286a523ac5995dbdcb5cddb0b12cee#diff-1275c48808de339ef6f282d844c83ec441b5cfa0debc373fdcb7dba497da4fc8])
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
